Back to skill

Security audit

Alibabacloud Ehpc Instant Job Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Alibaba Cloud E-HPC job-management aid, but it also documents and scripts broader cloud actions that can create public, billable resources or delete infrastructure.

Install only if you intend to let an agent manage Alibaba Cloud E-HPC resources. Use a dedicated least-privilege RAM user, review the broad reference commands before granting permissions, avoid the SDK examples unless you add your own confirmation step, and be especially cautious with long-running VM jobs because they may create public, billable resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference document materially expands the operational scope from job management into image, pool, action plan, monitoring, executor, tag, and application management. In an agent skill context, this can cause the agent to perform unintended privileged administrative actions beyond user expectations, increasing the blast radius of prompt-induced misuse or accidental execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Application synchronization is unrelated to the stated purpose of job management and introduces cross-region state-changing capability. In an agent setting, this unjustified privilege can be abused to replicate or modify application assets across regions, leading to unauthorized changes and expanded operational impact.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The referenced document substantially expands the skill from EHPC Instant job management into full NAS administration, including create, modify, mount target, and delete operations. This broadens the agent's effective capability beyond its declared scope, increasing the chance of unauthorized storage changes, destructive actions, and user confusion about what the skill is permitted to do.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manual includes instructions to create NAS access groups and access rules, which are security-boundary controls rather than simple job-management actions. If followed by an agent or user under the assumption this skill is limited to EHPC jobs, these commands could weaken storage network protections or grant broader read/write access to NAS resources.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This reference file substantially expands the skill from EHPC Instant job management into general VPC/vSwitch lifecycle administration, including creation, modification, deletion, and VPC provisioning. In an agent skill, this scope creep is dangerous because it equips the agent to perform high-impact infrastructure changes unrelated to the stated user purpose, increasing the chance of unauthorized or overly broad network operations.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file provides step-by-step commands for creating, modifying, and deleting core network infrastructure, which exceeds the declared capability of a job-management skill. If the agent uses this material, a user could pivot from job submission into altering production networking, causing outages, exposure, or persistent environmental changes.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Adding route-table and security-group inspection guidance broadens the skill into adjacent security and network-enumeration tasks not required for EHPC Instant job management. Even though these are read-oriented commands, they reveal topology and security configuration details that can aid lateral discovery or misuse in an over-permissioned environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The deployment policy sets EnableExternalIpAddress to true, causing the created VM job to receive a public IP. In a job-management skill, exposing a long-running VM to the public internet materially increases attack surface and can enable unauthorized access, scanning, brute force attempts, or compromise of a service that the user may have expected to remain private.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script provisions a long-running VM job with both a login password and an external IP address, effectively creating a remotely reachable host rather than a bounded batch job. In the context of an agent skill for job management, this expands capability into persistent remote compute access and materially increases the risk of unauthorized access, misuse, and unexpected exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to configure long-lived AccessKey ID and AccessKey Secret values but does not include any warning about secure handling, least privilege, local file protection, or avoiding credential disclosure. In a skill intended to manage cloud jobs, this can lead users to store sensitive cloud credentials insecurely or reuse over-privileged keys, increasing the chance of account compromise and unauthorized resource access.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The AI-Mode section states that the CLI automatically attaches skill identity information, but it does not clearly warn that enabling this sends metadata to the remote service. While this is not credential leakage by itself, it can expose usage context, tool identity, and calling patterns that users may not expect, which is a privacy and transparency issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document includes destructive commands such as deleting jobs, images, pools, and plans without prominent warnings, confirmation guidance, or safe-operating notes. In an AI-assisted workflow, users or agents may execute these examples directly, causing irreversible resource deletion or service disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The batch cleanup script performs real deletion of completed jobs and is readily copy-pastable, but provides no warning, review step, or confirmation barrier. In agent-driven or semi-automated environments, this raises the risk of unintended mass deletion, especially if filters or parsing behave unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes direct deletion commands for vSwitch resources and only embeds caution as general prose rather than enforcing an explicit execution warning or confirmation step. In an agent context, destructive commands without strong safeguards can be copied or automated, leading to accidental deletion of active networking components and downstream service disruption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code immediately submits a remote resource creation request that can allocate compute infrastructure and potentially incur cost or create exposed assets, without any confirmation, dry-run mode, or user-facing warning. In an agent-integrated skill, this is more dangerous because automation may trigger infrastructure changes with limited user awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.